Three out of four banking websites have serious security flaws – study

Humphrey Cheung, 23rd July 2008

Ann Arbor (MI) – A soon to be released University of Michigan study will show that more than 75% of banking websites have serious security flaws. According to Atul Prakash, professor of electrical engineering and computer science, these flaws are design issues that cannot be quickly solved with a simple patch or upgrade.

Prakash, along with doctoral students Laura Falk and Kevin Borders, studied 214 financial institutions and found that the most serious issue was the placement of contact or security information on insecure pages. Prakash argues that this can easily lead to phishing attacks by the placement of bogus numbers that lead to scam artists.

Approximately 55% of the sites had this problem, while 47% placed login boxes on insecure pages. Prakash is recommending that banks use SSL protocol to secure their login pages. Why any bank still has a non-SSL login page is beyond me.

Rounding out the top five security problems are poor email security, broken chain of trust where banks redirect users to insecure outside sites and inadequate user id and passwords. 31, 30 and 28 percent of websites had these problems, respectively.

Of course security problems can erode public trust in banking websites and Prakash says, "Our focus was on users who try to be careful, but unfortunately some bank sites make it hard for customers to make the right security decisions when doing online banking."

Prakash’s study titled “Analyzing Web Sites for User-Visible Security Design Flaws” will be released later this month on his website here.